They admitted they never contacted Apple product security, which means they never notified Apple to begin with. That month you see at the top of the writeup appears to be how long they waited for ZDI before deciding to publish, not how long they waited for Apple to fix it.
So what? They owe Apple nothing. They owe you nothing.
Unless you are taking requests from random HN commenters for software that you would like to build them for free, I suggest you rethink your suggestion for highly skilled researchers to donate charity labor to the largest corporation in the world.
This has nothing to do with owing Apple anything and instead has to do with not intentionally compromising the security of millions of innocent people around the world.
And before you interpret this to mean never disclosing publicly, that’s not what I’m saying. But no matter what your opinion is on the best way to handle disclosure, releasing a 0day without any attempt whatsoever to notify the vendor is highly irresponsible and immoral.
